INIT: Id "4" respawning too fast: disabled for 5 minutes INIT: Id "6" respawning too fast: disabled for 5 minutes INIT: Id "1" respawning too fast: disabled for 5 minutes INIT: Id "3" respawning too fast: disabled for 5 minutes INIT: Id "5" respawning too fast: disabled for 5 minutes [ 132.993654] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.221' (ECDSA) to the list of known hosts. [ 138.538278] random: sshd: uninitialized urandom read (32 bytes read) [ 138.633154] audit: type=1400 audit(1569799737.899:7): avc: denied { map } for pid=1827 comm="syz-executor522" path="/root/syz-executor522134706" dev="sda1" ino=16461 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 executing program executing program executing program executing program executing program executing program [ 140.830339] ================================================================== [ 140.837775] BUG: KASAN: use-after-free in xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.844768] Read of size 8 at addr ffff8881ce3980b8 by task kworker/0:1/22 [ 140.851754] [ 140.853361] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 4.14.146+ #0 [ 140.859932] Workqueue: events xfrm_state_gc_task [ 140.864662] Call Trace: [ 140.867236] dump_stack+0xca/0x134 [ 140.870764] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.875414] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.880061] print_address_description+0x60/0x226 [ 140.884879] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.889626] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.894307] __kasan_report.cold+0x1a/0x41 [ 140.898528] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.903180] xfrm6_tunnel_destroy+0x4e0/0x560 [ 140.907671] ? kfree+0x1ca/0x3a0 [ 140.911022] xfrm_state_gc_task+0x3d6/0x550 [ 140.915322] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 140.922322] ? lock_acquire+0x12b/0x360 [ 140.926283] process_one_work+0x7f1/0x1580 [ 140.930512] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 140.935166] worker_thread+0xdd/0xdf0 [ 140.938951] ? process_one_work+0x1580/0x1580 [ 140.943427] kthread+0x31f/0x430 [ 140.946785] ? kthread_create_on_node+0xf0/0xf0 [ 140.951432] ret_from_fork+0x3a/0x50 [ 140.955133] [ 140.956750] Allocated by task 1834: [ 140.960353] __kasan_kmalloc.part.0+0x53/0xc0 [ 140.964830] ops_init+0xee/0x3f0 [ 140.968193] setup_net+0x259/0x550 [ 140.971731] copy_net_ns+0x195/0x480 [ 140.975432] create_new_namespaces+0x373/0x760 [ 140.979991] unshare_nsproxy_namespaces+0xa5/0x1e0 [ 140.984898] SyS_unshare+0x34e/0x6c0 [ 140.988589] do_syscall_64+0x19b/0x520 [ 140.992454] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 140.997618] 0xffffffffffffffff [ 141.000872] [ 141.002478] Freed by task 366: [ 141.005648] __kasan_slab_free+0x164/0x210 [ 141.009860] kfree+0x108/0x3a0 [ 141.013304] ops_free_list.part.0+0x1f9/0x330 [ 141.017772] cleanup_net+0x466/0x870 [ 141.021460] process_one_work+0x7f1/0x1580 [ 141.025672] worker_thread+0xdd/0xdf0 [ 141.029451] kthread+0x31f/0x430 [ 141.032794] ret_from_fork+0x3a/0x50 [ 141.036482] 0xffffffffffffffff [ 141.039745] [ 141.041350] The buggy address belongs to the object at ffff8881ce398000 [ 141.041350] which belongs to the cache kmalloc-8192 of size 8192 [ 141.054154] The buggy address is located 184 bytes inside of [ 141.054154] 8192-byte region [ffff8881ce398000, ffff8881ce39a000) [ 141.066196] The buggy address belongs to the page: [ 141.071102] page:ffffea000738e600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 [ 141.081045] flags: 0x4000000000010200(slab|head) [ 141.085777] raw: 4000000000010200 0000000000000000 0000000000000000 0000000100030003 [ 141.093721] raw: dead000000000100 dead000000000200 ffff8881da802400 0000000000000000 [ 141.101587] page dumped because: kasan: bad access detected [ 141.107271] [ 141.108873] Memory state around the buggy address: [ 141.113779] ffff8881ce397f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 141.121116] ffff8881ce398000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.128452] >ffff8881ce398080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.135787] ^ [ 141.140963] ffff8881ce398100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.148307] ffff8881ce398180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 141.155643] ================================================================== [ 141.162977] Disabling lock debugging due to kernel taint [ 141.168464] Kernel panic - not syncing: panic_on_warn set ... [ 141.168464] [ 141.175838] CPU: 0 PID: 22 Comm: kworker/0:1 Tainted: G B 4.14.146+ #0 [ 141.183620] Workqueue: events xfrm_state_gc_task [ 141.188363] Call Trace: [ 141.190932] dump_stack+0xca/0x134 [ 141.194449] panic+0x1ea/0x3d3 [ 141.197729] ? add_taint.cold+0x16/0x16 [ 141.201690] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 141.206335] end_report+0x43/0x49 [ 141.209780] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 141.214447] __kasan_report.cold+0xd/0x41 [ 141.218581] ? xfrm6_tunnel_destroy+0x4e0/0x560 [ 141.223230] xfrm6_tunnel_destroy+0x4e0/0x560 [ 141.227706] ? kfree+0x1ca/0x3a0 [ 141.231053] xfrm_state_gc_task+0x3d6/0x550 [ 141.235352] ? xfrm_state_unregister_afinfo+0x190/0x190 [ 141.240705] ? lock_acquire+0x12b/0x360 [ 141.244660] process_one_work+0x7f1/0x1580 [ 141.248873] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 [ 141.253520] worker_thread+0xdd/0xdf0 [ 141.257317] ? process_one_work+0x1580/0x1580 [ 141.261800] kthread+0x31f/0x430 [ 141.265283] ? kthread_create_on_node+0xf0/0xf0 [ 141.270072] ret_from_fork+0x3a/0x50 [ 141.274726] Kernel Offset: 0xbe00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 141.285680] Rebooting in 86400 seconds..